The society only processes personal data for recreational reasons only. It is exempt from registration although it is still required to comply with the GDPR. This was determined by completing the ICO’s online Registration Self-Assessment questionnaire.

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate and up to date;
• not kept for longer than is necessary;
• processed in line with your rights;
• secure; and
• not transferred to other countries without adequate protection.

The society is also obligated to carry out a few simple procedures as described below.

• Tell people what you are doing with their data
• Make sure your staff are adequately trained
• Use strong passwords
• Encrypt all portable devices
• Only keep people’s information for as long as necessary

In line with these principles and procedures the following notes describe the policies and practices adopted by the BAHS and how they may affect our members and visitors (individuals who have signed-up to our information service).

Why Is Data Held on Individuals?

The GDPR refers to various reasons by which data on individuals may be held. The BAHS holds data on individuals for two reasons.

• The first reason is a ‘legal obligation‘. When a subscription is take out with the BAHS there is a legal obligation for the BAHS to keep records on individuals who take out a subscription.
• The second reason is called ‘legitimate interest‘ and this is the basis on which the BAHS holds records on individuals to meet their interest in activities of the BAHS

When the BAHS contacts present members, past members and/or visitors we do so as they have shown a legitimate interest in BAHS activities. For present members contact may be made to fulfil the legal obligation relating to their BAHS subscription.

Opt In/Opt Out?

Past and present members may opt out of email contact at any time. Past members and visitors may also request for their details to be removed from the BAHS system.

Present members may also request that their details to be removed from the BAHS system although this will mean their subscription is terminated. No subscription payments will be reimbursed in this situation.

Data Held

The data held by the BAHS on members and visitors is used by committee members to:

• Run the BAHS
• Communicate with members and visitors by email, post and at meetings
• Administer the Members’ Area

The society does not share or sell your data to other organisations or third parties.

The data is held in a secure area of our website only accessible by members of the BAHS committee. To assist in the running of the society the committee may download data from the website and print it out. This does not (in fact cannot) include passwords used by members. The data held by the society may be used by the BAHS committee to assess trends and guide decision making. Committee members are responsible for the safe keeping of data they download.

Examples of data downloaded and printed by committee members are address labels, membership and subscription lists.

The data held by the society covers:

• Member’s name and possibly their partners name
• Correspondence address and possibly a second address. Correspondence addresses are used for the delivery of items such as newsletters and the Glaven Historian
• Phone numbers to allow the committee to contact members in case of an issue
• Email addresses are used to contact members regarding events and other matters the committee think may be of interest. The committee tries to minimise the number emails sent to members to no more than one or two a week. Notification emails to individual members will be generated when a member uses the members’ area (see below)
• Individual preferences covering, for example, how you receive items like the AGM papers
• Subscription information including membership category, payment details, payment method and date payment recorded
• Bank details are recorded to allow auditing and tracking of payments however this information is present on all cheques
• Details on meeting attendance are recorded including the names of attendees

Data NOT Held

Please note the society doesn’t hold data such as credit card details.

Individual’s Rights

The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

If a member wishes to access their data they may do so by:

• Viewing the data held by the BAHS by logging into the Members’ Area.
• Requesting the data held by writing to the Secretary. Please click here here for the correspondence address. The BAHS expects to reply within one month of receiving your request but please note that we are a society operated by volunteers.

Members’ Area

Through the secure Members’ Area it is possible for members (with an email address) to login to check their subscription history, if any. They may also review and change the personal data held by the society and update it as required.

Passwords

Members are advised to use a unique password for access to the BAHS website. However we understand this isn’t the easiest thing to do. However members are advised that to reduce risk they should not use on the BAHS website a password that is used elsewhere on sensitive or secure websites such as banking financial, or cloud file management websites which if hacked could cause a financial loss or loss of important data.

Security

When members use the Members’ Area notification emails (covering actions such as login, logout or updating personal details) are provided to the login email address. If a member receives such an email and they hadn’t used the Members’ area they should email the webmaster as it implies a possible security issue. If you do not receive these emails when using the Members’ area please check that they are not going into a junk or spam folder. Whilst it isn’t recommended by the society it is possible to disable the receipt of notification emails.

Access to membership data held on the website is accessible only through logging in using strong passwords that are stored using one-way encryption techniques using a 256-bit hash known as SHA256. Click here for information held on Wikipedia about this technique.

Changes to membership data held on the website are recorded in an audit trail accessible by the webmaster.

Further Information

If you have questions or concerns about how the society uses the data it holds on you please email the webmaster who has been nominated by the BAHS Committee as the society’s Data Protection Officer.